3/02/2010 @ 3:00AM

Researchers Call Google Hackers 'Amateurs'

When
Google
declared in January that it had been the subject of a “highly sophisticated and targeted attack” on its network, cybersecurity researchers were quick to connect the incident to a wave of stealthy and innovative cyberspies striking companies around the world. But follow
Google
‘s hackers down their rabbit hole, as one group of cybersecurity researchers says it has done, and a portrait of those digital intruders emerges that conflicts with their “superhacker” image.

According to a report that researchers at the cybersecurity firm Damballa plan to release Tuesday, the China-based “Aurora” hackers who targeted
Google
were both more varied in their tactics and far less advanced than early analyses depicted. The Atlanta-based firm links the attacks to a group of “botnets”–collections of computers compromised with hidden software–that used techniques it described as “old school” and “amateur.”

“A great play is being made about how sophisticated these attacks were,” says Damballa’s vice president of research Gunter Ollman. “But tracing back the attacks shows that they were not sophisticated, and that the attackers behind them have a history of running multiple botnets with a variety of tools and techniques,” many of which, he says, were far more rudimentary than Google or the cybersecurity industry has portrayed.

Damballa says it traced the Aurora botnet to command and control computers in 22 countries, including China, the United States, the United Kingdom, Germany and Taiwan. By analyzing the structure and activities of the botnet based on information pulled from those command servers, it found that the botnet used a technique known as “dynamic domain name system command and control,” an older, more easily detected method of communication among hijacked computers that it says is rarely used by professional botnet operators today.

Ollman adds that the malicious software that infected Google’s network, a Trojan known as Hydraq, contained code that was at least five years old and lacked the “armor” that typically obfuscates malicious software’s purpose and prevents it from being removed.

Those claims are already raising controversy in the cybersecurity community, which has taken the Google China hackings as a rallying cry against a new wave of skilled cyberspies that it has labeled the “the advanced persistent threat.” Beyond the Google incident, cyberspies have recently gained access to major oil companies, according to a report in the Christian Science Monitor. And they’ve also hacked more than 100 agencies, schools, think tanks and contractors, including Northrop Grumman and
General Dynamics
, which do business with the Pentagon (See story, “Dozens of Defense Contractors, Agencies Hacked.”)

The cybersecurity firm
McAfee
, for instance, which performed an initial analysis of the Google hack, wrote in an email to Forbes that it stands by its initial conclusion that Operation Aurora was “one of the most impactful and sophisticated cyberattacks in history.” McAfee adds that “the goal of the attackers was not to create a botnet but to compromise key systems of interest to gain access to valuable resources.”

Damballa’s report also threatens to undercut Google, given the search giant’s claims about the hackers’ high level of skill. The company’s threat to stop censoring its Chinese search engine and even close its Beijing office in response to the incident also imply that the attacks were state-sponsored, but Damballa’s researchers say this is unlikely based on the skill level of the intruders.

Responding to the report, Google spokesperson Jay Nancarrow told Forbes he wouldn’t comment on Google’s ongoing investigation of the attacks, but that the company stands by its original statement. He added that Damballa has “no firsthand knowledge of the investigation.”

According to Damballa’s timeline of events, the Aurora operation’s botnets began to test communications between command and control servers in July of last year. By August the botnets had infected many companies’ networks using a variety of techniques, including spoofed downloads for antivirus or spyware removal software. Damballa declined to reveal which companies were targeted, and says it wasn’t able to detect what data was stolen from victims.

Last fall Damballa researchers believe that the botnet operators began to rent out or sell control of the botnets, based on lulls in activity that imply a transfer of ownership. The researchers concur with Google that the search giant’s computers began being infected in December. They say the botnet operators likely used a variety of entrance points, including but not limited to the previously unknown vulnerability in Internet Explorer that McAfee and others have cited as the hackers’ breach point. (See story, “Google Hackers’ Unexpected Backdoor.”)

All of that, according to Damballa’s researchers, means the attack was less of a highly-targeted cyberspying operation than simply “just another botnet,” as the report describes it.

Damballa’s Ollman stresses that the report isn’t meant to detract from the seriousness of other recent cyberattacks and intrusions. But he argues that so-called “advanced persistent threat” hackers shouldn’t be confused with what he describes as run-of-the-mill botnets operated by the Aurora hackers.

Says Ollman: “The fact that they were detected and that Google made disclosures about them is actually hiding the fact that there are more advanced botnets that cause more damage in enterprises.”